Impacted versions
-
Confluent Platform < 7.3.14, 7.4.11, 7.5.10, 7.6.7, 7.7.5, 7.8.4, 7.9.3, 8.0.1.
Note: By default, these versions are not vulnerable unless Confluent Platform logging configurations are overridden and the log level is set to Debug
Recommended action
- Confluent Platform: Please upgrade to CP versions: 7.4.14, 7.5.13, 7.6.10, 7.7.8, 7.8.7, 7.9.6, 8.0.4, 8.1.3
Issue
Debug level logging statements were identified in Confluent Platform that would result in underlying Confluent Kafka HTTP REST based requests to be logged that may also include sensitive parameters. The security issue only manifests when the logging level is set to Debug level. As a result, any instantiation of Confluent Platform components with Debug level enabled can result in un-obfuscated sensitive information to be displayed in standard output and exposed to any downstream logging pipelines.
Mitigation
Validate logging configurations and ensure that log level is set above Debug level
Remediation
This issue is resolved in the CP patch release versions 7.4.11, 7.5.10,7.6.7, 7.7.5, 7.8.4, 7.9.3, 8.0.1. These fixes adequately address this issue, as the vulnerable Debug level logging statement was refactored to remove sensitive values.
CVSS Scores:
- Original: 7.4 (CVSS v3.1 Calculator)
- Adjusted: 4.4 (Adjusted CVSS v3.1 Calculator)